Penetration Testing mailing list archives
Re: nmap showing port 21 (ftp) open, but port is actually closed
From: Andres Riancho <andres.riancho () gmail com>
Date: Sun, 11 Sep 2005 18:42:25 -0300
Mike, This could be a transparent proxy server that your ISP installed. A way to test if you are proxyed is: gauss:~# tcptraceroute www.google.com 80 Selected device eth1, address 24.232.100.167, port 3539 for outgoing packetsTracing the path to www.google.com (64.233.161.99) on TCP port 80 (www), 30 hops max
1 * 10.17.1.1 7.865 ms * 2 10.101.1.25 10.882 ms 13.205 ms 7.474 ms 3 publica1.fibertel.com.ar (24.232.1.1) 7.483 ms 5.732 ms 8.831 ms 4 64.233.161.99 [open] 7.639 ms 32.874 ms 13.350 ms Only 4 hops for port 80. Strange ... Lets see what happends for real... gauss:~#traceroute 64.233.161.99 traceroute to 64.233.161.99 (64.233.161.99), 30 hops max, 38 byte packets 1 * * * 2 10.101.1.25 (10.101.1.25) 10.071 ms 8.694 ms 28.814 ms 3 publica1.fibertel.com.ar (24.232.1.1) 7.851 ms 26.046 ms 11.893 ms 4 10.101.21.85 (10.101.21.85) 11.420 ms 21.271 ms 8.380 ms5 bai1-cablevision-1-ar.bai.seabone.net (195.22.220.45) 7.919 ms 9.622 ms 20.910 ms 6 ash1-new1-racc1.new.seabone.net (195.22.216.169) 188.225 ms 198.841 ms 183.207 ms 7 eqixva-google-gige.google.com (206.223.115.21) 184.185 ms 183.390 ms 201.727 ms 8 216.239.47.120 (216.239.47.120) 186.700 ms 183.013 ms 216.239.49.248 (216.239.49.248) 183.718 ms 9 216.239.48.190 (216.239.48.190) 186.032 ms 184.994 ms 216.239.48.198 (216.239.48.198) 183.713 ms
10 64.233.161.99 (64.233.161.99) 183.273 ms 184.863 ms 186.683 msWell, this makes more sense to me :) . You could do the same test but changing port 80 to 21.
Mike Jones wrote:
Has anyone ever seen this before, nmap is showing port 21 to be open on a machine on the internet, but 21 is not listening on that machine. It happens to all machines I scan outside the local area network.Thanks in advance
-- Andrés Riancho http://www.securearg.net/ Secure from the Source ------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- nmap showing port 21 (ftp) open, but port is actually closed Mike Jones (Sep 11)
- Re: nmap showing port 21 (ftp) open, but port is actually closed cy.wang (Sep 12)
- Re: nmap showing port 21 (ftp) open, but port is actually closed Aaron J. Bedra (Sep 12)
- Re: nmap showing port 21 (ftp) open, but port is actually closed Luke Eckley (Sep 12)
- Re: nmap showing port 21 (ftp) open, but port is actually closed Mordread Wallas (Sep 12)
- Re: nmap showing port 21 (ftp) open, but port is actually closed Josh Zlatin-Amishav (Sep 12)
- Re: nmap showing port 21 (ftp) open, but port is actually closed Andres Riancho (Sep 12)
- Re: nmap showing port 21 (ftp) open, but port is actually closed Paul Day (Sep 12)
- Re: nmap showing port 21 (ftp) open, but port is actually closed Thor (Hammer of God) (Sep 12)
- <Possible follow-ups>
- Re: nmap showing port 21 (ftp) open, but port is actually closed Steve.Cummings (Sep 12)
- RE: nmap showing port 21 (ftp) open, but port is actually closed Andre Protas (Sep 14)
- RE: nmap showing port 21 (ftp) open, but port is actually closed Drage, Nick (Sep 16)
- Re: nmap showing port 21 (ftp) open, but port is actually closed cy.wang (Sep 12)